1.3.4 Ensure 'Maximum lifetime for user ticket renewal' is set to '7 or fewer days' (STIG DC only)

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This security setting determines the period of time (in days) during which a user's ticket-granting ticket can be renewed.

The STIG recommended state for this setting is: 7 or fewer days.

Rationale:

If the value for this policy setting is too high, users may be able to renew very old user ticket-granting tickets. If the value is 0, ticket-granting tickets never expire.

Impact:

None - this is the default behavior.

Solution

To establish the recommended configuration via GP, set the following UI path to 7 or fewer days:

Computer Configuration\Policies\Windows Settings\Security Settings\Account Policy\Kerberos Policy\Maximum lifetime for user ticket renewal

Default Value:

7 days




Additional Information:

Microsoft Windows Server 2019 Security Technical Implementation Guide:
Version 2, Release 1, Benchmark Date: November 13, 2020

Vul ID: V-205705
Rule ID: SV-205705r569188_rule
STIG ID: WN19-DC-000050
Severity: CAT II

See Also

https://workbench.cisecurity.org/files/3345